PDA

View Full Version : Zlob.Downloader & syssecuritysite.com/


keith98
2006-07-10, 12:35
Zlob.Downloader,
C:\WINNT\system32\stdole3.tlb


res://C:\WINNT\system32\shdoclc.dll/navcancl.htm

http://www.syssecuritysite.com/
pskelley
2006-07-10, 12:55
Welcome to the forum, a man of few words.

Please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.
http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288

The information you probably need, can't be sure without the above instructions having been followed.
http://forums.spybot.info/showthread.php?t=4015

Thanks...pskelley
Safer Networking Forums
keith98
2006-07-10, 13:05
Hi there, your service is very appreciated. I have 2 problems

1. is Zlob.downlader remaining after fixing on spybot

2. is www.syssecuritysite.com is my unwanted homepage ( no pop ups any more !!!)

Problem 1

Although my spybot scan flags Zlob.Downloader
data C\WINNT\system\stdole3.tlb, and gives me a big GREEN tick after selecting fix selected problems, Zlob.Downloader continues to remain.

HijackThis file is below. It seems all is well, but, please note I fixed 017 becasue it was not recognised as a known IP- ( with no behavioral change to my PC after fixing 017)

Logfile of HijackThis v1.99.1
Scan saved at 7:57:33 PM, on 10/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Campus Computers Utilities\HijackThis 1.99.1.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151472216945
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BEA1E2A-71B8-4935-94F2-023693EFFB53}: NameServer = 132.234.123.1 132.234.123.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe


Problem 2

Ad ware and HijackThis has been used to quarantine sucessfully some 40 nasties (pop ups thus eliminated), but this blasted www.syssecuritysite.com is my UNWANTED homepage. It starts with:

res://C:\WINNT\system32\shdoclc.dll/navcancl.htm

schdoclc.dll has been opened and some text accidently deleted, but I do have a copy

Please hekp me with this, It's driving me nuts.

regards
Keith
keith98
2006-07-10, 13:16
Hi there, your service is very appreciated. I have 2 problems

1. is Zlob.downlader remaining after fixing on spybot

2. is www.syssecuritysite.com is my unwanted homepage ( no pop ups any more !!!)

Problem 1

Although my spybot scan flags Zlob.Downloader
data C\WINNT\system\stdole3.tlb, and gives me a big GREEN tick after selecting fix selected problems, Zlob.Downloader continues to remain.

HijackThis file is below. It seems all is well, but, please note I fixed 017 becasue it was not recognised as a known IP- ( with no behavioral change to my PC after fixing 017)

Logfile of HijackThis v1.99.1
Scan saved at 7:57:33 PM, on 10/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Campus Computers Utilities\HijackThis 1.99.1.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151472216945
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BEA1E2A-71B8-4935-94F2-023693EFFB53}: NameServer = 132.234.123.1 132.234.123.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe


Problem 2

Ad ware and HijackThis has been used to quarantine sucessfully some 40 nasties (pop ups thus eliminated), but this blasted www.syssecuritysite.com is my UNWANTED homepage. It starts with:

res://C:\WINNT\system32\shdoclc.dll/navcancl.htm

schdoclc.dll has been opened and some text accidently deleted, but I do have a copy

Please hekp me with this, It's driving me nuts.

regards
Keith
pskelley
2006-07-10, 14:08
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp100.tmp

Marker for the Smitfraud trojan, follow the instructions in the link I provided above. Post the three logs in this topic and I will respond as soon as possible after that to see if anything is left to do.

Thanks...
tashi
2006-07-10, 18:20
Topics merged.
keith98
2006-07-11, 03:17
Thank you for responding

I have executed the steps, but have trouble opening SmitfraudFix on desktop, becasue it does not know which program to use. Furthermore, automatic updates on Ewido was unsucessful and manual update was not available, so I skipped it.

These issues have prevented me from continuing throught the steps.

Please advise

Keith
pskelley
2006-07-11, 03:29
Keith, make sure you use only the "Post Reply" button. Here is a tutorial from the creator of the fix, perhaps the visuals will help.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
We have to get the tool downloaded and run in order to fix your problems. Read and follow the directions carefully. I have had a few folks with missing Process.exe. If this occurs, it would be your antivirus program blocking it. Turn of the AV only for the time needed to download the tool.

Instructions from the link if it helps:
Thanks to S!Ri, and any others who helped with this fix.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Thanks...Phil
keith98
2006-07-11, 04:20
Phil,

you might think I am dumb, ( I'm not very pc savvy), but I tried to disable AVG Free, control center, by using exit ( stopping automatic updates etc), and re downloaded smitFraudFix, but no good, same with Ewido updates. This pc also has NGenFix, but I do not know how do turn it off.I have turned off Ewido. I have spybot, HijackThis, ad-ware,Java2, on desktop

What would I do next ( besides learning a whole new dimesion to pc)

thanks for ur help
Keith
pskelley
2006-07-11, 11:43
Hi Keith, What I suggest you do is ask someone with more computer experience to give you a hand with this. I am a removal specialist and It is difficult for me to help you with issues like you are having without being able to be in front of the computer. I have given you the same information we give others, so you also might want to review the information, delete anything you have downloaded so far and try again. I will keep the topic open for a while to give you time to do this.

Thanks...Phil
keith98
2006-07-11, 13:06
Thanks for your help.

I'll remove and re install following the instuctions provided, and resend the logs in a new thread. You can close this thread now if you wish Phil.

regards
Keith
tashi
2006-07-16, 04:24
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.